A group of attackers, known as Asylum Ambuscade, continues to wreak havoc on small and medium-sized companies around the globe. This group has been operating since 2020 and was first detected by Proofpoint in March 2022.
ESET recently reported that the latest campaigns utilized specialized phishing letters with malicious documents, launching vbscript code and exploiting the vulnerability CVE-2022-30190. This led to the installation of the malicious Sunsed program, which loads the AKHBOT secondary module from the C2 server of attackers.
Asylum AmbusCade has broadened its target audience, launching attacks on bank customers, cryptocurrency traders, government entities, and various small and medium-sized businesses in North America, Europe, and Central Asia. ESET notes that hackers use new incriminating vectors, such as Google’s harmful advertising, to redirect users to malicious JavaScript code. In addition, since March 2023, they began using a new Nodebot tool, which is the AHKBOT port on node.js.
The malware can capture screenshots, extract passwords from browsers such as Internet Explorer, Firefox, and Chromium, and even load additional Autohotkey plugins to the infected device. These plugins have varying functions, such as the Cobalt Strike loading, the Chrome installation for HVNC, the launch of the keiilger, the deployment of the RHADAMANTHYS infostiler, the launch of commercially available RATs, and more.
According to ESET, Asylum AmbusCade has infected roughly 4,500 users since January 2022, which averages to about 265 victims per month, making this group an imminent threat to organizations across the globe.
Although hackers are targeting cryptocurrencies and bank accounts for monetary gain, the infection of SMB companies could also signal cyberspionage. While hackers might sell access to these companies’ networks to other cybercriminals for the implementation of extortion software, ESET has yet to find evidence supporting this hypothesis.